Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package pcs This upload fixes CVE-2017-2661 reported in #858379 by applying an upstream patch. diff -Nru pcs-0.9.155+dfsg/debian/changelog pcs-0.9.155+dfsg/debian/changelog --- pcs-0.9.155+dfsg/debian/changelog 2017-01-13 13:50:46.000000000 +0100 +++ pcs-0.9.155+dfsg/debian/changelog 2017-03-21 20:37:55.000000000 +0100 @@ -1,3 +1,9 @@ +pcs (0.9.155+dfsg-2) unstable; urgency=medium + + * Add upstream fix for CVE-2017-2661 (Closes: #858379) + + -- Valentin Vidic <[email protected]> Tue, 21 Mar 2017 20:37:55 +0100 + pcs (0.9.155+dfsg-1) unstable; urgency=medium * Repack upstream source without Liberation fonts (Closes: #851115) diff -Nru pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch --- pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 2017-03-21 20:37:55.000000000 +0100 @@ -0,0 +1,41 @@ +From: Ondrej Mular <[email protected]> +Date: Sat, 4 Mar 2017 14:01:43 +0100 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948 +Subject: [PATCH] web UI: fixed XSS vulnerability + +--- + pcsd/public/js/nodes-ember.js | 4 ++-- + pcsd/public/js/pcsd.js | 2 +- + 3 files changed, 7 insertions(+), 3 deletions(-) + +--- a/pcsd/public/js/nodes-ember.js ++++ b/pcsd/public/js/nodes-ember.js +@@ -75,7 +75,7 @@ + var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"]; + $.each(this.get("sbd_config"), function(opt, val) { + if (banned_options.indexOf(opt) == -1) { +- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n'; ++ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n'; + } + }); + return out + '</table>'; +@@ -879,7 +879,7 @@ + }.property("status_val"), + show_status: function() { + return '<span style="' + this.get('status_style') + '">' +- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "") ++ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "") + + '</span>'; + }.property("status_style", "disabled"), + status_class: function() { +--- a/pcsd/public/js/pcsd.js ++++ b/pcsd/public/js/pcsd.js +@@ -822,7 +822,7 @@ + + dialog_obj.find('#auth_nodes_list').empty(); + unauth_nodes.forEach(function(node) { +- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n'); ++ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n'); + }); + + } diff -Nru pcs-0.9.155+dfsg/debian/patches/series pcs-0.9.155+dfsg/debian/patches/series --- pcs-0.9.155+dfsg/debian/patches/series 2017-01-13 13:50:46.000000000 +0100 +++ pcs-0.9.155+dfsg/debian/patches/series 2017-03-21 20:37:55.000000000 +0100 @@ -9,3 +9,4 @@ 0009-Fix-testsuite.patch 0010-Replace-chkconfig.patch 0011-Fix-python-lxml.patch +0012-CVE-2017-2661.patch unblock pcs/0.9.155+dfsg-2 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system)
